Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


secret (1) Versions 1.0.0

Managing secrets in Chef recipes

cookbook 'secret', '~> 1.0.0', :supermarket
cookbook 'secret', '~> 1.0.0'
knife supermarket install secret
knife supermarket download secret
Quality 43%

secret cookbook

Managing secrets in Chef recipes.


secret =
secret.get('postgres:password:root')  # supersecretpassword


If you use Chef encrypted data bags for storing secrets (passwords, API keys etc.), you might have written some code like this below:

secret_val = data_bag_item(DATA_BAG_NAME, DATA_BAG_ITEM_NAME)[SUBKEY_1][SUBKEY_2][SUBKEY_3]

Assuming you have several servers (Chef nodes) and various environments (development, staging, production), the scheme below is good enough for managing secrets for all assets in one repository:

  1. DATA_BAG_NAME stands for a category. E.g. postgres for stroring all PostgreSQL server user passwords.
  2. DATA_BAG_ITEM_NAME stands for an environment. E.g. staging.
  3. SUBKEY_1 (in fact, all top-level keys within JSON associated with a particular data bag item) stands for server (Chef node) FQDN.

With that in mind, the postgres::staging data bag item JSON will contain the following data:

  "id": "staging",
  "": {
    "password": {
      "root": "reallystrongpassword1"
  "": {
    "password": {

In order to obtain the necessary password while provisioning server, you can write in your recipe:

postgres_pwd = data_bag_item('postgres', node.chef_environment)[node['automatic']['fqdn']]['password']['root']

secret cookbook will make the difference:

secret =  # initialize once in a recipe
postgres_pwd = secret.get('postgres:password:root')

You only need to pass DATA_BAG_NAME and subkeys, excluding environment and FQDN values (they are detected automatically).

Advanced usage

secret_val = secret.get(query, options)

where query is a string and options is a Ruby Hash.

default option

secret.get will return a default value in case there is no one defined in a data bag item.

required option

Whether a value must be defined in a data bag item or by a default option. By default is true. A provision process will fail if a required value is not defined in a data bag item and there is no default value.

item option

Overrides DATA_BAG_ITEM_NAME. By default it equals node.chef_environment.

prefix_fqdn option

Whether or not prepend server (Chef node) FQDN to the query. By default is true. When the value is false, your data bag item JSON should look like this:

  "id": "staging",
  "password": {
    "root": "reallystrongpassword1"

This may be suitable for environments with a single node or several nodes with shared secrets.

Not only can this option be customised in a server.get call, but it may also be changed globally with node['secret']['prefix_fqdn'] attribute (true by default).


val1 = secret.get('postgres:password:user', default: nil)
val2 = secret.get('aws:s3:access_key', prefix_fqdn: false)


MIT @ Alexander Pyatkin

Collaborator Number Metric

1.0.0 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric

1.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Foodcritic Metric

1.0.0 passed this metric

No Binaries Metric

1.0.0 passed this metric

Supported Platforms Metric

1.0.0 failed this metric

secret should declare what platform(s) it supports.

Testing File Metric

1.0.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

1.0.0 passed this metric